First though, some of the recent revelations discovered by Facebook users. As reported in the UK's Guardian, "Facebook's new system for connecting together the web seems to have a serious privacy hole, a web developer has discovered.

Some people report that they are able to see the public "events" that Facebook users have said they will attend – even if they person is not a "friend" on the social network. The discovery was made by Ka-Ping Yee, a software engineer for the charitable arm of Google, who was trying out the search query system known as the "Graph API" released by Facebook last Friday. In some cases – though not all – it will let you see the public events that people have said they will attend, or have attended.

Yee demonstrated the flaw by showing how the API – which plugs directly into Facebook's databases – can show you a list of Facebook founder Mark Zuckerberg's planned public events.

...

The discovery will intensify the debate over Facebook's new system – which has drawn complaints that it makes it far too difficult to keep personal information private.

The implications of being able to find out the movements of any of the 400m people on Facebook are potentially wide-ranging – although the flaw does not seem to apply to every user, or every event. Yee says that the simplest way to prevent your name appearing in such lists is to put "not attending" against any event you are invited to.

The problem mirrors that which Google ran into when it created its new Buzz systems, which aimed to create a Twitter-like social network – but annoyed people because it assumed that anyone with whom you had exchanged email would want to be part of your network. But the example of a wife who wanted to stay away from her abusive husband – but with whom she had once swapped an email – showed that Buzz had a flawed approach to privacy.

Similarly the FacebookAPI system may turn out to be crucially flawed. "What can your event list say about you? Quite a bit," wrote Yee. "It might reveal your home address, your friends' home addresses, the names and groups of people you associate with, your hobbies, or your political or religious activities, for example. "

As I mentioned on Tuesday, Facebook's effort to spread its online social network to other websites has been noticed by lawmakers and FTC regulators looking into privacy concerns.

Four senators said Tuesday that Facebook needs to make it easier for its 400 million users to protect their privacy as the site opens more avenues for them to share their interests and other personal information.

As detailed by Business Week, "Having built one of the Web's most popular hangouts, Facebook is trying to extend its reach through new tools called "social plug-ins." These enable Facebook's users to share their interests in such products as clothes, movies and music on other websites. For instance, you might hit a button on Levis.com indicating you like a certain style of jeans, and then recommend a movie on another site. That information about the jeans and the movie might be passed along to other people in your Facebook network, depending on your privacy settings.

Facebook says all this will help personalize the Web for people. It stresses that no personal information is being given to the dozens of websites using the new plug-ins.

Still, it means that information that hadn't been previously communicated could get broadcast to your friends and family on Facebook.

And Facebook is indeed sharing some personal information with three websites that Facebook hopes will demonstrate how online services can be more helpful when they know more about their users. The sites with greater access to Facebook's data are business review service Yelp, music service Pandora and Microsoft Corp.'s Docs.com for word processing and spreadsheets.

Facebook users who don't want to be part of the company's expansion have to go through their privacy settings and change their preferences.

Now we have Senator Schumer, and other lawmakers, pledging to introduce legislation that would expand the FTC's powers over Facebook and other Internet social networks if the regulatory agency doesn't feel it has the authority to require more straightforward privacy controls.

The political pressure could undermine Facebook's ambition to create a more social, open Web that could make it easier to aim online advertising at consumers based on their presumed interests. Facebook would probably thrive in a more communal Internet because it has amassed a huge database of personal information since Zuckerberg set up its website in a Harvard dorm room six years ago.Wired magazine highlights Facebook CEO Mark Zucerberg'sseeming disdain for privacy and the uncomfortable place this puts those of us - me included - that enjoy the social service,stating, "Zuckerberg’s apparent disregard for your privacy is probably not reason enough to delete your Facebook account. But we wouldn’t recommend posting anything there that you wouldn’t want marketers, legal authorities, governments (or your mother) to see, especially as Facebook continues to push more and more of users’ information public and even into the hands of other companies, leaving the onus on users to figure out its Rubik’s Cube-esque privacy controls.

Facebook has been on a relentless request over the past six months to become the center of identity and connections online. The site unilaterally decided last December that much of a user’s profile information, including the names of all their friends and the things they were “fans” of, would be public information — no exceptions or opt-outs allowed.

Zuckerberg defended the change — largely intended to keep up with the publicness of Twitter, saying that people’s notions of privacy were changing. He took no responsibility for being the one to drag many Facebook users into the net’s public sphere.

Then last week at its f8 conference, Facebook announced it was sending user profile information in bulk to companies like Yelp, Pandora and Microsoft. Thus, when users show up at those sites while logged in to Facebook, they see personalized versions of the those services (unless the user opts out of each site, somewhere deep in the bowels of Facebook’s privacy control center).Facebook is also pushing a “Like” button, which lets sites put little Facebook buttons on anything from blog entries to T-shirts in web stores. Clicking that button sends that information to Facebook, which publishes it as part of what it calls the Open Graph, linking your identity to things you choose online. That information, in turn, is shared with whatever sites Facebook chooses to share it with — and to the sites you’ve allowed to access your profile.

With all that said, let's get to my featured post from EFF on Facebook's remarkable transformation over the past 5 years. EFF notes, "When it started, it was a private space for communication with a group of your choice. Soon, it transformed into a platform where much of your information is public by default. Today, it has become a platform where you have no choice but to make certain information public, and this public information may be shared by Facebook with its partner websites and used to target ads.

To help illustrate Facebook's shift away from privacy, we have highlighted some excerpts from Facebook's privacy policies over the years. Watch closely as your privacy disappears, one small change at a time!

Facebook Privacy Policy circa 2005:

"No personal information that you submit to The facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.

...

Current Facebook Privacy Policy, as of April 2010:

When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. ... The default privacy setting for certain types of information you post on Facebook is set to “everyone.” ... Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection."

Viewed together, the successive policies tell a clear story. Facebook originally earned its core base of users by offering them simple and powerful controls over their personal information. As Facebook grew larger and became more important, it could have chosen to maintain or improve those controls. Instead, it's slowly but surely helped itself — and its advertising and business partners — to more and more of its users' information, while limiting the users' options to control their own information.

Needless to say, I think a strong case can be made that Facebook EPITOMIZES the direction social networking sites, and the web in general, is headed...and new laws and protections are needed immediately...

Tuesday, April 27, 2010

This represents some real good news (possibly anyway). Last week I wrote about the recent study by researchers at UC Berkeley and the University of Pennsylvania indicating younger adults DO want increased privacy and have views similar to those of their elders, even with social networks encouraging them to share more online.

Perhaps this new information has been helpful in giving some legislators the cover they need to start making social networking sites like Facebook address the myriad of concerns, and violations if you ask me, of user privacy.

Before I get to the article about a new effort by some Democratic Senators to regulate these sites, let me highlight another recent study that tells the story about what Facebook, and other social networking sites are doing to undermine privacy (and which could be stopped immediately without effecting the general enjoyment one gets from using them).

The study found that the 43 leading sites made privacy control settings difficult to find and to understand; and the defaults were almost always set to allow maximum dispersal of data.

In January Facebook Chief Executive, Mark Zuckerberg, declared the age of privacy to be over. A month earlier, Google Chief Eric Schmidt expressed a similar sentiment. Add Scott McNealy's and Larry Ellison's comments from a few years earlier, and you've got a whole lot of tech CEOs proclaiming the death of privacy--especially when it comes to young people.

It's just not true. People, including the younger generation, still care about privacy. Yes, they're far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. But they take steps to protect their privacy and vociferously complain when they feel it violated. They're not technically sophisticated about privacy and make mistakes all the time, but that's mostly the fault of companies and Web sites that try to manipulate them for financial gain.

...

Here's the problem: The very companies whose CEOs eulogize privacy make their money by controlling vast amounts of their users' information. Whether through targeted advertising, cross-selling or simply convincing their users to spend more time on their site and sign up their friends, more information shared in more ways, more publicly means more profits. This means these companies are motivated to continually ratchet down the privacy of their services, while at the same time pronouncing privacy erosions as inevitable and giving users the illusion of control.

...

Facebook tried a similar control grab when it changed people's default privacy settings last December to make them more public. While users could, in theory, keep their previous settings, it took an effort. Many people just wanted to chat with their friends and clicked through the new defaults without realizing it.

Facebook has a history of this sort of thing.In 2006 it introduced News Feeds, which changed the way people viewed information about their friends. There was no true privacy change in that users could not see more information than before; the change was in control--or arguably, just in the illusion of control. Still, there was a large uproar. And Facebook is doing it again; last month, the company announced new privacy changes that will make it easier for it to collect location data on users and sell that data to third parties.

So now that we have an idea why Facebook - and sites like it - need to abide by some agreed upon rules when it comes to sharing our data, let's go to the article in C-Netdetailing the proposals being made by various Senators, particularly Sen. Schumer:

A press release from Schumer's office announced that he has written to the FTC to ask that the agency "examine the privacy disclosures of social-networking sites to ensure they are not misleading or fail to fully disclose the extent to which they share information...(and) provide guidelines for use of private information and prohibit access without user permission."

This was prompted by the new products and services unveiled by Facebook CEO Mark Zuckerberg at the social network's annual developer conference, which took place in San Francisco last week. The big showcase at F8 was the "Open Graph," which aims to forge firmer channels of communication between multiple social-networking sites. In conjunction, Facebook rolled out something called "Instant Personalization," which lets users easily share the bulk of their personal profile information with third-party companies.

According to Schumer, frequent changes to social-networking privacy policies can be extremely confusing for users, and that the FTC currently does not regulate this at all.

...

"...As these sites become more and more popular, however, it's vitally important that safeguards are in place that provide users with control over their personal information to ensure they don't receive unwanted solicitations. At the same time, social-networking sites need to provide easy-to-understand disclosures to users on how information they submit is being shared."

...

Schumer's press release explains that "if the FTC believes it does not have the tools or authority to issue guidelines on privacy disclosures, he would be willing to offer legislation."

Is this the last straw? Security advocates and the occasional lawmaker have been complaining about Facebook's continual changes to its privacy controls for ages now, and yet the social network continues to forge ahead. It does, however, make changes here and there: late last year, controversy over Facebook's decision to make users' friends lists public resulted in a complaint to the FTC and ultimately a modification on Facebook's behalf.Click here to read more.

In case you want a bit more information that proves Facebook and sites like it need to be regulated, consider more of the record. The company has been criticized for not allowing people to permanently delete their accounts and personal information from the site as well as their use of "Beacon" (no longer in use) - a technology that tracks user's online purchases and informs their friends.

Next, they released their new privacy settings, that were new, but were actually less private. There's more "publicly available information" that you can't control, there was the official "recommendation" that users should loosen their privacy settings, since Facebook's recommendations are less private than the previous default settings, most users have to click through to another page of privacy controls in order to strengthen their settings, and finally, the default settings are all set to the LEAST private setting

Even if your Facebook profile is "private," when you take a quiz or run any other application, that app can access almost everything in your profile: your religion, sexual orientation, political affiliation, pictures, and groups. And these apps may have access to most of the info on your friends' profiles too—which means if your friend takes a quiz, they could be giving away your personal information, even if you've never used an app!

The privacy settings that address this issue remain buried behind too many layers of menus and the new controls still fail to explain what applications can really see.

Then there's government and law enforcement access. Facebook reportedly receives up to 100 demands each week seeking information about its users

Facebook’s draft privacy policy states that we'll be able to opt-out of third party sites that they have chosen to share our information with. But by default, we're all in. Seems a bit inconvenient, no? Another immediate question I had was what personal information are they sharing?

Add it altogether, and there's a real strong case to pursue the kind of legislation, or action from the Federal Trade Commission.

Friday, April 23, 2010

Unfortunately I haven't been able to post here for over a week (reasons I won't even go into), and couldn't for almost 10 days before that due to vacation (had the chore of swimming with dolphins and whales in the Sea of Cortez...work, work, work :).

So, I feel I'm really behind here and there's so many things I'd like to get to. But, the one I have to single out today is the consumer and privacy coalition - which we (Consumer Federation of California) are a member of - challenging the use of, and investment in, the airport digital strip searches that are coming to an airport near you. I speak of course of what has been coined as "Whole-Body-Imaging".

As I wrote in my article "The Politics of Fear and "Whole-Body-Imaging", these full-body scanners use one of two technologies - millimeter wave sensors or backscatter x-rays - to see through clothing, producing images of naked passengers.

As I lay out in detail, there are MANY reasons to oppose the widespread use of these scanners, from the obvious, privacy, to the less so, they won't make us any safer. In fact, if you define the word "safe" as also including being "safe" from government and corporate intrusiveness and fear peddling, than I would argue it makes us less so, not more.

A Review: Why Airport Body Scanners Should be Opposed

Before I get to the coalition petition urging Janet Napolitano tostop purchasing these machines until there's comprehensive public hearings on them (which is CRITICAL if we are to get a chance to make more Americans aware of the full story), I want to just quickly highlight the main arguments against their use.

Before embracing this latest "terror fix", we should consider the larger context at work here: for every specific tactic we target with a new, expensive, and often burdensome security apparatus, the terrorist's tactics themselves will change.

Risks can be reduced for a given target, but not eliminated. If we strip searched every single passenger at every airport in the country, terrorists would try to bomb shopping malls or movie theaters.

Before we all run for the hills screaming "the terrorists are coming", willfully give up our civil liberties and freedoms, support wars on countries that did nothing to us, and sign off on wasting HUGE amounts of money on ineffectual security systems, consider this: Your chances of getting hit by lightning in one year is 500,000 to 1 while the odds you'll be killed by a terrorist on a plane over 10 years is 10 million to 1.

Does this sound like a threat worthy of increasing the already long list of airline passenger indignities? Isn't suffering through longer and longer lines while being shoeless, beltless, waterless, and nail clipper-less enough? Now we've got to be digitally strip searched too?

Then there are the privacy concerns regarding how images could be stored...and just the basic guttural reaction of "screw you I'm not letting you see me naked for no reason" argument.

The Electronic Privacy Information Center, a public interest research group, published documents in Januaryrevealing that the machines can record, store and transmit passenger scans.

Are we really to believe the government won't allow these devices to record any data when the easy "go to" excuse for doing so will be the need to gather and store evidence? What about the ability of some hacker in an airport lounge capturing the data using his wi-fi capable PC - and then filing it to a Flickr album, and then telling of its whereabouts on Twitter?

For these reasons, privacy advocates continue to argue for increased oversight, full disclosure for air travelers, and legal language to protect passengers and keep the TSA from changing policy down the road. Again, what's to stop the TSA from using clearer images or different technology later?

Is the loss of freedom, privacy, and quality of life a worthwhile trade-off for unproven protections from a terrorist threat that has a 1 in 10 million chance of killing someone over a ten year time period?

Last year, the groups asked DHS Secretary Janet Napolitano to give the public an opportunity to comment on the proposal to expand the body scanner programme. She rejected the request. Since that time, the groups charge that evidence has emerged that "the privacy safeguards do not work and that the devices are not very effective".

...

The petition states that the body scanners are not effective and are not designed to detect the type of powdered explosive that was involved in the Dec. 25, 2009 "underwear bomber" incident. The petition also states that the privacy safeguards do not work and that the body scanners violate religious beliefs, principally among Muslims.

Despite concerns over costs and benefits, privacy, reliability and safety of airport body scanners, the federal government plans to deploy 500 advanced imaging technology units this ear, roll out 500 more in 2011 and operate a total of 1,800 units by 2014, according to recent testimony last to the House Transportation Security and Infrastructure subcommittee.

...

A signatory to the petition, Chip Pitts, president of the Bill of Rights Protection Committee, told IPS, "The full body scanners fall into the same misleading 'techno-utopian' mindsetthat focuses on the symptoms rather than the causes of terrorism and assumes that some new surveillance technology will somehow eliminate all risk of terrorist incidents."

"What happens instead is that companies push for and the government buys technology that merely fights the last war, produces new intrusions to fundamental freedoms like privacy, the presumption of innocence, and freedom from religious or other discrimination, while yielding only faux security instead of the genuine security promised," he said.

"In the meantime, as Huxley warned in Brave New World, the population becomes used to the new surveillance methods (such as these digital strip searches) that normalise invasions of dignity and serve mainly to enhance government control of the citizenry."

...

The group also contends that documents obtained by EPIC under the Freedom of Information Act "also appear to refute the agency's claims that the devices do not store and record images and that the public does not object to the programme."

...

The petitioners charge that "Deployment of Full Body Scanners in U.S. airports, as currently proposed, violates the U.S. Constitution, the Religious Freedom Restoration Act (RFRA), the Privacy Act of 1974 (Privacy Act), and the Administrative Procedures Act (APA)."

The petition says, "The FBS programme effectively subjects all air travelers to unconstitutionally intrusive searches that are disproportionate and for which the TSA lacks any suspicion of wrongdoing. The FBS Programme also violates the RFRA because it requires those of sincerely held religious beliefs to be subject to offensive intrusions by government officials." Click here to read the article in its entirety.

Being that I'm a part of this petition, I will most certainly keep anyone interested in this issue up to speed on this blog...

Friday, April 16, 2010

Well isn't this good timing?! In my past few posts I have been asserting that people do, young included, care about privacy. The issue isn't that people aren't concerned with privacy, as corporate interests that profit off sharing and selling our private information would like us to all believe (I'm looking at you Google, Yahoo, Facebook, etc.), the issue is proper and user friendly standards do not yet exist on the web to make it easier to choose privacy and protect ones data.

Now, a new study by researchers at UC Berkeley and the University of Pennsylvania indicate younger adults DO want increased privacy and have views similar to those of their elders, even with social networks encouraging them to share more online.

In a recent post I compared this dilemma regarding privacy with that faced by those hoping the public will also become more environmentally conscious, writing:

"People want to, if enabled, to recycle, to drive more efficient cars, and to even use solar energy in their homes. BUT, not if its made overly difficult, or costly, and if "systems" aren't in place, usually through law, that make it easy, logical, and practical, they won't.In the case of the environment, its the automakers, big oil, big coal, nuclear, and others. When it comes to privacy, it’s the HUGE money that can be made off our data. The fact is people want, if enabled, to protect their privacy and control their data. BUT, not if it’s made difficult, confusing, or time consuming.And this is why new rules, laws are so desperately needed for cyberspace...If we are given an easy to use and understand "system" (i.e. laws) that allows us to protect our data, share it only through opting in, then we will. If it’s like solving a Rubik’s Cube to do so, we won't.

The good news is it takes very little to create such "systems" that enable us to make better life choices, for ourselves as individuals, and for the society as a whole. The fight is rarely in the practicality of the laws, or system itself, but rather in the corporate interests that are fighting change...because that change might undercut their profits.So if we value privacy as a social good (which it is), and a fundamental liberty and right, then we MUST put rules and laws in place that protect it as such. We are told by the same interests that profit off our information that privacy is dead, and people don't care about it anymore. Well, that's easy to say when you are the ones developing the complicated and difficult to find privacy settings consumers have to deal with in order to make money off of that very "complication".Now let's get to the study, as reported in the San Francisco Chronicle:"The data show that they and older adults are more alike on many privacy topics than they are different," the researchers concluded.

For example, 82 percent of respondents ages 18 to 24 and 84 percent ages 25 to 34 said they have refused to provide information to a company because they thought it was too personal or not necessary. The percentage was 85 percent for people 65 and older.

And 84 percent of those 18 to 24 believed their permission should be sought before someone uploaded a photo or video of them, statistically close to the 88 percent or more for people older than 45 who had the same belief.

There were differences that showed up when respondents were asked whether a company should be fined more or less than $2,500 for illegally using personal information. While at least 76 percent of Americans 45 or older picked more than $2,500, only 54 percent of people 18 to 24 did the same.

"Public policy agendas should therefore not start with the proposition that young adults do not care about privacy and thus do not need regulations and other safeguards," the researchers said.The results reflect how younger people are less likely to view institutions such as Facebook as a source of risk for privacy problems and may be less aware of privacy laws than older adults, Hoofnagle said.Facebook, which has more than 400 million members, has particularly come under fire for changes in its privacy settings that placed more personal information in public.

What makes this study so important is its paramount that we shift the burden from the individual trying to protect his/her privacy and onto the company that is storing, sharing or selling it. While this seems like a no brainer, more and more, whether its the Smart Grid, behavioral marketing on the net, or social networking sites, the debate has centered on the opt-in versus opt-out principles, and which should be the rule of thumb.

Obviously this study makes it ABUNDANTLY clear that the opt-in standard isn't only right in terms of legal control over ones information, but its what people overwhelmingly WANT! Something to remember as we watch these privacy debates progress...particularly out there in cyberspace in the information age...

Wednesday, April 14, 2010

Some good news on the regulatory front: Privacy advocates plan to file a complaint with federal regulators against tracking and profiling practices used by Google, Yahoo, Microsoft and other Internet companies to auction off ads targeted at individual consumers in the fractions of a second before a Web page loads.

The complaint being filed is by the Center for Digital Democracy, U.S. PIRG, and the World Privacy Forum, charging that a "massive and stealth data collection apparatus threatens user privacy," and asks regulators to compel companies to obtain express consent from consumers before serving up "behavioral" ads based on their online history.

Internet companies will be asked to acknowledge that the data they collect about a person's online movements through software "cookies" embedded in a Web browser allows advertisers to know details about them, even if those cookies don't have a person's name attached.

As I said in a post last week, people want, if enabled, to protect their privacy and control their data. BUT, not if it’s made difficult, confusing, or time consuming. And this is why new rules, laws are so desperately needed for cyberspace...we need "systems" that will allow users to control their information in an easy, logical, and practical way.

The good news is it takes very little to create such "systems" that enable us to make better life choices, for ourselves as individuals, and for the society as a whole. The fight is rarely in the practicality of the laws, or system itself, but rather in the corporate interests that are fighting change...because that change might undercut their profits.

When it comes to privacy, it’s the HUGE money that can be made off our data. If we are given an easy to use and understand "system" (i.e. laws) that allows us to protect our data, share it only through opting in, then we will. If it’s like solving a Rubik’s Cube to do so, we won't.

So if we value privacy as a social good (which it is), and a fundamental liberty and right, then we MUST put rules and laws in place that protect it as such.

We are told by the same interests that profit off our information that privacy is dead, and people don't care about it anymore. Well, that's easy to say when you are the ones developing the complicated and difficult to find privacy settings consumers have to deal with.

As privacy expert Bruce Schneier recently wrote, "People, including the younger generation, still care about privacy. Yes, they're far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. But they take steps to protect their privacy and vociferously complain when they feel it violated. They're not technically sophisticated about privacy and make mistakes all the time, but that's mostly the fault of companies and Web sites that try to manipulate them for financial gain.

Here's the problem: The very companies whose CEOs eulogize privacy make their money by controlling vast amounts of their users' information. Whether through targeted advertising, cross-selling or simply convincing their users to spend more time on their site and sign up their friends, more information shared in more ways, more publicly means more profits. This means these companies are motivated to continually ratchet down the privacy of their services, while at the same time pronouncing privacy erosions as inevitable and giving users the illusion of control.There's no malice on anyone's part here; it's just market forces in action. If we believe privacy is a social good, something necessary for democracy, liberty and human dignity, then we can't rely on market forces to maintain it. Broad legislation protecting personal privacy, by giving people control over their personal data is the only solution.

With that, let's get to the article in the San Jose Mercury News regarding this new effort to establish some privacy rules of the road.

"This idea that a cookie is nonpersonal information no longer really applies in this digital age. You don't need to know a person's name to know a person - to understand their likes and their dislikes, the contents of what they read, what they put in their shopping cart. It's really personal now," Jeff Chester, executive director of the digital center, said in an interview. "There's a balance that needs to be set here," he added of the groups'complaint against so-called "real-time" and "behavioral" advertising. "We want online advertising to flourish, but there has to be some rules."...Behavioral advertising refers to the practice of tracking an individual's online movements and using the portrait that emerges to target advertising.

Google launched what it dubbed "interest-based advertising" about a year ago, saying it would make advertising more relevant and interesting by tracking users and categorizing their interests in topics such as sports, gardening, cars and pets. More recently, Google, Yahoo and other advertisers have built their capacity to provide "real-time" ads — adding the element of immediacy by targeting ads that take into account a person's up-to-the-minute behavior. Such real-time ads can be targeted in the 50 milliseconds or less between the time a person clicks on a Web site and the time the page appears.

...

The gist of the disagreement is that privacy advocates say Internet companies should obtain prior consent from users for behavioral advertising, while Yahoo, Google and other companies say the right policy is to allow consumers to opt out if they don't want to be tracked online.

Besides Google and Yahoo, the FTC complaint also names smaller online advertisers such as AppNexus, MediaMath, Rubicon Project and Rocket Fuel. Chester said he and other privacy advocates are particularly concerned that some online marketers are developing the ability to combine a person's Internet history with personal data from their offline life — such as the consumer's race, gender, profession and income — to fine-tune online ad targeting.

Technologies that enable the real-time profiling, targeting and auctioning of consumer data are becoming commonplace as companies incorporate an array of outside data sources for sale online, warned PIRG's Ed Mierzwinski. "In just the last few years, a growing and barely regulated network of sellers and marketers has gained massive information advantages over consumers," he said. "Consumers will be most shocked to learn that companies are instantaneously combining the details of their online lives with information from previously unconnected offline databases without their knowledge, let alone consent," Mierzwinski said.

"These include arthritis, diabetes, GERD and digestive disorders, migraines, sleep disorders, pain management, credit cards, loans and insurance." According to Privacy Choice, any site in Google's vast AdSense network may carry ads placed by third-party ad companies, which Google calls "certified ad networks," the filing noted. "This is an important privacy development, as it means that more than 80 new companies may now use or collect user behavioral information through Google ad tags that are already installed on millions of web pages."

...

What's more, the groups believe that consumers ought to receive fair financial compensation for the use of their data. Additionally, they want the FTC to prepare a report that informs consumers and policy-makers in Congress about the privacy risks and consumer-protection issues involved.

Friday, April 9, 2010

I was happy to find an editorial by The Nation magazine today entitled "The Surveillance Regime" today. I say this not because its good news that Obama has been such a deep disappointment when it comes to issues related to privacy and civil liberties, but rather, because this fact has not received deserved attention, and condemnation, from the left.

The trend, on these issues, and others, paint a disturbing narrative, a narrative that points in one direction only: an increasingly intrusive surveillance state with an all powerful Executive Branch that is essentially above the law.

The editorial will lay out some of the specific ways in which the Obama Administration has, in some respects, doubled down on Bush Administration crimes and efforts to expand Executive power. First though, let me just explain why this is so important.

If we can all go back in time for a minute, and remember those dark days of the Bush Administration (i.e. all of them), we should also remember the consistent, vehement, and vocal opposition from the left of Bush assaults on privacy and the constitution, from eavesdropping, to indefinite detention, to state secrets, to the Patriot Act abuses, and so, and so forth.

This vehement opposition was of course warranted, and important. But now that Obama is President, and CONTINUING THESE POLICIES, the same outcry that once existed has become a whimper. No, I'm not talking about groups like the ACLU or EFF, but certainly Democrats in Congress, left wing talk radio, and even newspaper editorial boards.

And why is this silence so damaging? Because a so called "liberal" President, a constitutional scholar no less, has now codified what just a few years ago were rightly considered radical attacks on the Constitution and Rule of Law. Now those very same policies have not only been embraced by the new President, but has been accepted by the Democrats in Congress!! In other words, the ball has just moved WAY towards the neoconservative worldview, and their interpretation of an all powerful Executive Branch.

The idea that because Obama is more intelligent, measured, and schooled in constitutional law than Bush (all of which is true), that this somehow means we should entrust him with near unchecked powers, be it wiretapping, assassination of American citizens, or indefinite detention, is patently absurd. Even if it were true that he would use these powers wisely (which is impossible), what's to say the next President will too?

Glenn Greenwald articulated my point (one I've been making here for quite some time) perfectly in a post of his today, stating: Here again, we see one of the principal and longest-lasting effects of the Obama presidency: to put a pretty, eloquent, progressive face on what (until quite recently) was ostensibly considered by a large segment of the citizenry to be tyrannical right-wing extremism (e.g., indefinite detention, military commissions, "state secrets" used to block judicial review, an endless and always-expanding "War on Terror," immunity for war criminals, rampant corporatism -- and now unchecked presidential assassinations of American citizens), and thus to transform what were once bitter, partisan controversies into harmonious, bipartisan consensus...

Ever since Barack Obama took office, accountability for rights violations during the "war on terror" has been thin. Victims of wrongful overseas detention, surveillance and torture have received no apology and no reparations. Despite an early commitment to close Guantánamo, 183 prisoners remain there. Indeed, Obama has released fewer detainees than Bush did during his last year in office. And despite an early promise to protect the First Amendment rights of Muslim charities, Obama has done nothing to change the onerous application of terrorism financing laws. Walker's decision is only the second to have ruled against the so-called Terrorist Surveillance Program. All other challenges--including one against the odious 2008 FISA Amendments Act (FAA), which The Nation has joined as a plaintiff--ultimately got booted at the courthouse door.

...

Continuity, not change, has characterized the conduct of Eric Holder's Justice Department. Walker documents, in his opinion, the government's persistent "refusal to cooperate with the court's orders," its improper use of procedural delays and even point-blank refusals to produce information. Yes, this was business as usual during the Bush era. But Walker was talking about events on Obama's watch.

Nor is Walker's experience unusual. In lawsuits by survivors of the CIA's "black sites" and Guantánamo's interrogation rooms, the government either keeps insisting that "state secrets" require outright dismissal or has stuck to the canard that noncitizens forcibly brought into US custody overseas lack all constitutional rights. In Guantánamo litigation, habeas lawyers complain about obfuscation, secrecy and delay not dissimilar from what they faced in the Bush era.

Before I get to the article, that I will post nearly in full, let me highlight a recent study that tells the story about what Facebook, and other social networking sites are doing to undermine privacy (and which could be stopped immediately without effecting the general enjoyment one gets from using them).

The study found that the 43 leading sites made privacy control settings difficult to find and to understand; and the defaults were almost always set to allow maximum dispersal of data. That's just a taste of wherein lies the problem...check out my posts for more.

As I stated to the PUC two weeks ago, with Google lobbyists in the room no doubt, "...one Google product after another – from Google Buzz to Google Books - has been a virtual privacy train wreck. The company's refusal to make public how often information about their users is demanded by, or disclosed to the government, is all the more disconcerting."

Google’s CEO, Steve Schmidt recently stated "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

As you let that sink in, he also said:

"… the reality is that search engines including Google do retain this information for some time, and it's important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities."

Finally, I also quoted Scheier to the Public Utilities Commission, a quote I think deserves repeating: “…lack of privacy shifts power from people to businesses or governments that control their information. If you give an individual privacy, he gets more power…laws protecting digital data that is routinely gathered about people are needed. The only lever that works is the legal lever...Privacy is a basic human need…The real choice then is liberty versus control.”With that, let's get to the man himself. Schneier writes in Forbes:

In January Facebook Chief Executive, Mark Zuckerberg, declared the age of privacy to be over. A month earlier, Google Chief Eric Schmidt expressed a similar sentiment. Add Scott McNealy's and Larry Ellison's comments from a few years earlier, and you've got a whole lot of tech CEOs proclaiming the death of privacy--especially when it comes to young people.

It's just not true. People, including the younger generation, still care about privacy. Yes, they're far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. But they take steps to protect their privacy and vociferously complain when they feel it violated. They're not technically sophisticated about privacy and make mistakes all the time, but that's mostly the fault of companies and Web sites that try to manipulate them for financial gain....People's relationship with privacy is socially complicated. Salience matters: People are more likely to protect their privacy if they're thinking about it, and less likely to if they're thinking about something else. Social-networking sites know this, constantly reminding people about how much fun it is to share photos and comments and conversations while downplaying the privacy risks. Some sites go even further, deliberately hiding information about how little control--and privacy--users have over their data. We all give up our privacy when we're not thinking about it....

Here's the problem: The very companies whose CEOs eulogize privacy make their money by controlling vast amounts of their users' information. Whether through targeted advertising, cross-selling or simply convincing their users to spend more time on their site and sign up their friends, more information shared in more ways, more publicly means more profits. This means these companies are motivated to continually ratchet down the privacy of their services, while at the same time pronouncing privacy erosions as inevitable and giving users the illusion of control.You can see these forces in play with Google's launch of Buzz. Buzz is a Twitter-like chatting service, and when Google launched it in February, the defaults were set so people would follow the people they corresponded with frequently in Gmail, with the list publicly available. Yes, users could change these options, but--and Google knew this--changing options is hard and most people accept the defaults, especially when they're trying out something new. People were upset that their previously private e-mail contacts list was suddenly public. A Federal Trade Commission commissioner even threatened penalties. And though Google changed its defaults, resentment remained....Facebook tried a similar control grab when it changed people's default privacy settings last December to make them more public. While users could, in theory, keep their previous settings, it took an effort. Many people just wanted to chat with their friends and clicked through the new defaults without realizing it.

Facebook has a history of this sort of thing. In 2006 it introduced News Feeds, which changed the way people viewed information about their friends. There was no true privacy change in that users could not see more information than before; the change was in control--or arguably, just in the illusion of control. Still, there was a large uproar. And Facebook is doing it again; last month, the company announced new privacy changes that will make it easier for it to collect location data on users and sell that data to third parties.

With all this privacy erosion, those CEOs may actually be right--but only because they're working to kill privacy. On the Internet, our privacy options are limited to the options those companies give us and how easy they are to find. We have Gmail and Facebook accounts because that's where we socialize these days, and it's hard--especially for the younger generation--to opt out. As long as privacy isn't salient, and as long as these companies are allowed to forcibly change social norms by limiting options, people will increasingly get used to less and less privacy.

There's no malice on anyone's part here; it's just market forces in action. If we believe privacy is a social good, something necessary for democracy, liberty and human dignity, then we can't rely on market forces to maintain it.Broad legislation protecting personal privacy, by giving people control over their personal data is the only solution.Click here for the rest of the article(though I admittedly nearly posted all of it).

I can't agree with him more. I used to work, and still occasionally do (and will again in the future), on environmental issues, and the dilemma is very similar. People want to, if enabled, to recycle, to drive more efficient cars, and to even use solar energy in their homes. BUT, not if its made overly difficult, or costly, and if "systems" aren't in place, usually through law, that make it easy, logical, and practical, they won't.

The good news is it takes very little to create these "systems" that enable us to make better life choices, for ourselves as individuals, and for the society as a whole. The fight is never in the practicality of the laws, or system itself, its in the special, usually corporate interests that are fighting change...because that change might undercut their profits.

In the case of the environment, its the automakers, big oil, big coal, nuclear, and others. When it comes to privacy, its the HUGE money that can be made off our data, both through selling it and then utilizing it for marketing.

So the fact is, privacy is similar. If we are given an easy to use and understand "system" (i.e. laws) that allows us to protect our data, share it only through opting in, then we will. If its like solving a Rubic's Cube to do so, we won't. So we come down to the choice that Schneier articulates: if we value privacy as a social good (which it is), and a fundamental liberty and right, then we MUST put rules and laws in place that protect it as such.

Friday, April 2, 2010

Before I get to the latest astonishingly bad privacy policy of Facebook, let's take a trip back through some of the companies greatest hits. Now, as I have written here in the past, with the explosion in popularity of social networking sites, the ability to protect ones personal privacy has become increasingly challenging.

Social networking sites like Facebook (which I use) reveal a considerable amount of information about a user's lifestyle, interests, and goals. Depending on the user's settings, co-workers, employers, and certain family members could have access to information about the user that may be better left unknown.

But it gets worse, a lot worse. A recent study found that the 43 leading sites made privacy control settings difficult to find and to understand; and the defaults were almost always set to allow maximum dispersal of data.

Recent Facebook flaps have highlighted the growing concern about the increasingly sophisticated technologies used to track online activities in an effort to more precisely target advertising. What has also become apparent is that these social networking sites have not exactly been forthcoming about how much user information they harvest, share, and with whom.

On the bright side, users have been becoming more and more conscious of privacy concerns, as Facebook has been criticized for not allowing people to permanently delete their accounts and personal information from the site as well as their use of "Beacon" (no longer in use) - a technology that tracks user's online purchases and informs their friends.

But Facebook didn't stop there. Next, they released their new privacy settings, that were new, but were actually less private.

There's more "publicly available information" that you can't control, there was the official "recommendation" that users should loosen their privacy settings, since Facebook's recommendations are less private than the previous default settings, most users have to click through to another page of privacy controls in order to strengthen their settings, and finally, the default settings are all set to the LEAST private setting

Even if your Facebook profile is "private," when you take a quiz or run any other application, that app can access almost everything in your profile: your religion, sexual orientation, political affiliation, pictures, and groups. And these apps may have access to most of the info on your friends' profiles too—which means if your friend takes a quiz, they could be giving away your personal information, even if you've never used an app!

The privacy settings that address this issue remain buried behind too many layers of menus and the new controls still fail to explain what applications can really see.

Then there's government and law enforcement access. Facebook reportedly receives up to 100 demands each week seeking information about its users. AOL reportedly receives 1,000 demands a month. In 2006, a U.S. Attorney demanded book purchase records of 24,000 Amazon.com customers. (In a show of loyalty to users, the company successfully fought back against the subpoena.)

As Nicole Ozer of the ACLU pointed out, "We shouldn't have to pay for these seemingly free online services with personal details about our lives."

With all that said, one would think that Facebook would have learned its lesson - or at least not come out with a plan that doubles down on its disdain for privacy. But that's exactly what they did last week (I was on vacation so couldn't post on it).

I gotta say, even I was a bit surprised by this brazen proposal. As Jared Newman of PC World notes, Under Facebook's current rules you're asked first if you want to share information (your name, photos and friends list) with third-party sites. The proposed policy, which Facebook hasn't implemented yet, would bypass asking you for approval when visiting some sites and applicationsFacebook has busines relationships with, sharing limited personal information automatically.

In other words, if Facebook deems a Web site or application trustworthy, it'll immediately grab your information when you visit or use it, provided you're logged into Facebook when that happens. Users will be able to opt-out, but it's not clear if this would happen on a user's settings page or by some other means. Facebook didn't get into specifics on when these changes will be made, why they're happening now or which sites will be participating.

...

Facebook users are understandably sensitive about what the site does with their personal data. In 2007, the site got into hot water over Beacon, which logged user activity on third-party sites even when they weren't logged into Facebook, and optionally published that activity to users' profiles. That resulted in a $9.5 million lawsuit settlement last December. This proposal differs from Beacon in that the user must be logged into Facebook to share data, and there's no indication that Facebook will log or publish what you do on those sites.

Facebook also retooled user privacy settings in December in hopes that people would make parts of their profiles public. That effort backfired when users realized their friends lists were made public even when the rest of their profiles were not, causing Facebook to relent and tweak its settings.Click here to read more.Facebook’s draft privacy policy states that we'll be able to opt-out of these sites, and we'll also be able to opt-out of these ‘pre-approved’ experiences entirely. But by default, we're all in. Seems a bit inconvenient, no?

Another immediate question I had was what personal information are they sharing? Here’s how Facebook defines the term ‘General Information’:

The term General Information includes your and your friends’ names, profile pictures, gender, connections, and any content shared using the Everyone privacy setting. We may also make information about the location of your computer or access device and your age available to applications and websites in order to help them implement appropriate security measures and control the distribution of age-appropriate content.That's a lot of information if you ask me. As the PC World article notes, Facebook users aren't too happy about this new policy:

Right now, there are more than 900 comments on the blog post in which Facebook Deputy General Counsel Michael Richter announced the proposed changes. Most of them are negative (though more than 2000 people "like" the blog post itself). Users are particularly angry that the third-party data sharing is opt-out, meaning users will take part by default.Let's hope a large enough outcry from users will suffice in Facebook rethinking this new policy...that really sets the bar for intrusiveness and bad privacy policy.

And, if you're like me, and had some problems figuring out Facebook's privacy settings, check out this two part video series explaining how to do it right...something I'm going to go over myself again tonight.

I've got another great piece by Glenn Greenwald on the outstanding news that yes, a crime is still, at least sometimes when committed by the government in its phony "war on terror, STILL A CRIME in this country. I want to let Greenwald provide the larger context regarding this victory, which I will get to shortly, but for those that haven't been following the long, strange legal trip that warrantless wiretapping has gone through, or need a little refreshing, let me provide a little backdrop by reposting a past summation I've given here:

First, to highlight the gravity of this issue and why its still critically important to address, in 2008, a government report was released that disclosed that President Bush authorized secret surveillance activities that went beyond the previously disclosed NSA program – raising the prospect of additional unlawful conduct (which has now been confirmed!).

This new information had led to concerns in Congress about the agency’s ability to collect and read domestic e-mail messages of Americans on a widespread basis. Supporting that conclusion is the account of a former N.S.A. analyst who, in a series of interviews, described being trained in 2005 for a program in which the agency routinely examined large volumes of Americans’ e-mail messages without court warrants. Two intelligence officials confirmed that the program was still in operation.

Then we got another report, mandated by Congress and produced by the inspectors general of five federal agencies, that found that other intelligence tools used in assessing security threats posed by terrorists provided more timely and detailed information. In fact, NOT ONE instance could be cited that demonstrated the wiretapping program prevented any attack of any kind, ever. Nor did it lead to the capture of any terrorists.

In light of these facts, one would think that the Obama Administration would come down somewhere at least close to the position that candidate Obama espoused on the campaign trail. Sadly, the opposite has been true, as demonstrated by the Administration's pro-wiretapping, state secrets expanding stance.

Rather than trying to take the public policy route, groups like EFF went to the Courts. Initially, Judge Walker ruled in 2006 that the AT&T customers could sue the company for allegedly allowing federal agents to intercept their calls and e-mails and seize their records without a warrant.

Then in 2008, he threw out more than three dozen lawsuits claiming that the nation’s major telecommunications companies had illegally assisted in the wiretapping without warrants program approved by President Bush after the 2001 terrorist attacks.

But, while he said the objections of the privacy groups were not strong enough to override the wishes of Congress, Judge Walker did show some sympathy for the plaintiffs’ claims.

He had refused the government’s efforts to invoke the “state secrets” privilege and had moved toward compelling the Justice Department to turn over documents. EFF and the ACLU appealed the case - a case in which Judge Walker kept intact related claims against the government over the wiretapping program...which he has now ruled in favor of the people and the Constitution!

Before I get to Greenwald, here's Olbermann's March 31st interview with New York Times journalist James Risen - the reporter who first broke this story:

While torture and aggressive war may have been the most serious crimes which the Bush administration committed, its warrantless eavesdropping on American citizens was its clearest and most undeniable lawbreaking. Federal District Judge Vaughn Walker yesterday became the third federal judge -- out of three who have considered the question -- to find that Bush's warrantless eavesdropping program was illegal (the other two are District Judge Anna Diggs Taylor and 6th Circuit Appellate Judge Ronald Gilman who, on appeal from Judge Taylor's decision, in dissent reached the merits of that question [unlike the two judges in the majority who reversed the decision on technical "standing" grounds] and adopted Taylor's conclusion that the NSA program was illegal).

That means that all 3 federal judges to consider the question have concluded that Bush's NSA program violated the criminal law (FISA). That law provides that anyone who violates it has committed a felony and shall be subject to 5 years in prison and a $10,000 fine for each offense. The law really does say that. Just click on that link and you'll see. It's been obvious for more than four years that Bush, Cheney, NSA Director (and former CIA Director) Michael Hayden and many other Bush officials broke the law -- committed felonies -- in spying on Americans without warrants. Yet another federal judge has now found their conduct illegal. If we were a country that actually lived under The Rule of Law, this would be a huge story, one that would produce the same consequences for the lawbreakers as a bank robbery, embezzlement or major drug dealing. But since we're not such a country, it isn't and it doesn't.

Although news reports are focusing (appropriately) on the fact that Bush's NSA program was found to be illegal, the bulk of Judge Walker's opinion was actually a scathing repudiation of the Obama DOJ. In fact, the opinion spent almost no time addressing the merits of the claim that the NSA program was legal. That's because the Obama DOJ -- exactly like the Bush DOJ in the case before Judge Taylor -- refused to offer legal justifications to the court for this eavesdropping. Instead, the Obama DOJ took the imperial and hubristic position that the court had no right whatsoever to rule on the legality of the program because (a) plaintiffs could not prove they were subjected to the secret eavesdropping (and thus lacked "standing" to sue) and (b) the NSA program was such a vital "state secret" that courts were barred from adjudicating its legality.

In my statement to the PUC just two weeks ago, I addressed the steady deterioration of privacy as both a right, and an idea, and used the warrantless wiretapping issue as one example. I stated, "It wasn’t long ago that the idea of our government wiretapping American citizens without warrants for purposes other than national security would have been revolting. Now its official Government policy – and the telecom companies that participated in these crimes have been given retroactive immunity while continuing to make billions off overcharging the same customers they betrayed."

I'm happy to say that my assertion was validated by yet another judge, that being the program was ILLEGAL, but I am unhappy to say that this story has not received the media and political attention it deserves - one of my other consistent assertions on this blog, and to the PUC.

To recap the general, and radical State Secrets interpretation advocated by both the Bush and Obama Administration's - blasted out of the water yesterday by Judge Walker - the White House can block courts from ruling on the legality of their alleged crimes by simply defining it as a vital "secret".

But that wasn't the only nefarious argument made by the Administration and rejected by the judge. The other was that since citizens cannot show their messages were intercepted or specify the damage done to them, they have no right to sue. And since this information is top secret, disclosure of who was targeted and why would be a threat to national security. You get the idea...its a kind of circular logic that ensures two things: the government gets away with their crimes and the people suffer the consequences.

Thankfully, in this case, the Obama Administration was unsuccessful in broadening the scope of this privilege, which would have given the Executive Branch even more power and unaccountability than it already has - serving to validate and reinforce Vice President Cheney's "unitary executive" theory that gained such traction during the Bush years.

Do we really want our Presidents shielded from judicial review or accountability when he/she is accused of breaking the law? Should entire cases be thrown out simply because the Executive Branch claims that there is something in some document that is so secret it will threaten our national security?

Now, according to yet another judge, the answer to these questions is an emphatic NO.

I do find it disturbing that the media, and certainly the right wing, still seem to treat the legality of this program as a "debate", and NO demands are being made for prosecution. The fact is, it hasn't been a "debate" since it was first exposed in 2005. It was blatantly illegal then, and blatantly illegal still. Yet, we have yet to hear ANYTHING about prosecuting those that committed these crimes, or ensuring that similar crimes won't happen again...which current so called protections and reforms allow.

As Glenn Greenwald noted, "Three federal judges have now concluded that it was illegal. And yet not only do we do nothing about it, but we stand by as the Obama administration calls this criminal program a vital "state secret" and desperately tries to protect it and the lawbreakers from being subject to the rule of law. This decision may make it more difficult for the Obama administration to hide behind sweeping secrecy claims in the future, but it won't negate the fact that we have decided that our leading political officials are completely free to commit crimes while in power and to do so with total impunity."

PRIVACY REVOLT! tackles the issues at the intersection of civil liberties and technology, with news and commentary on government and corporate surveillance, identity theft, data brokers, tracking devices, and the security of consumers' financial, medical, and phone records.

Privacy Bill List

We provide tracking and analysis of the most important privacy bills moving through the California state legislature.